rprf Menu

About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

August 21, 2017

Are Our Wallets About to Get Thinner?

In February 2011, I was in Salt Lake City for the annual Smart Card Alliance conference, and a representative from the now-defunct Isis Mobile Wallet was delivering the keynote address. As part of the keynote, the speaker played a video clip from the Seinfeld show that famously depicts the "Costanza wallet," a wallet so overstuffed that it gave George a backache from sitting on it. The conference speaker had us imagining a world where our mobile phones replaced our physical wallets. Six-and-a-half years later, that world remains a dream. But are we closer to it, with private-label cards possibly leading the way?

As I was paying for my coffee this morning through a mobile phone app, it dawned on me that I haven't used a physical card for this specific retailer in at least three years. The retailer's mobile app has replaced my physical card, a private-label prepaid card, as my payments credential. I no longer have a need for the card at this retailer, nor do I want one—I'd prefer to keep my wallet from becoming a "Costanza wallet." And while my example describes a prepaid card, I believe that this retailer's model is indicative of what's on the horizon for private-label store credit cards as well.

I usually quickly turn down any offers for private-label credit cards at retailers. Even though these cards come with some sweet deals and benefits, I just don't want more plastic in my wallet. But what if this credential could be issued directly within the retailer's mobile application without ever issuing a plastic card? Sign me up!

I remain skeptical about the future of the so-called "pay wallets," but continue to believe that the future of mobile payments will be driven by retailers' mobile apps. And I think these mobile apps present these retailers the ideal opportunity to drive their private-label prepaid or credit adoption and usage without ever having to issue a plastic credential. If the credential that retailers issued were in electronic form, such as a token or virtual card, it could disrupt the plastic card industry—approximately 360 million credit and 4.5 billion prepaid cards in 2015, according to the Nilson Report. Plus, merchants would benefit by avoiding the cost of issuing and distributing cards.

So back to my original question: Are we closer to a world with thinner wallets, and with private-label cards possibly leading the way? I don't think our physical wallets will ever go away, but I do believe that they will slim down as we witness a substantial rise in the issuance of private-label virtual credentials in the future on a wide range of connected devices. In fact, I'm willing to go out on a limb and suggest that these credentials will eventually overtake the number of physical cards. What do you think on the future of plastic in the private-label space? And what new challenges, if any, will the virtualization of plastic have on the personalization and authentication of payment credentials?

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

August 14, 2017

Extra! Extra! Triennial Payments Data Available in Excel!

In countless old black-and-white movies, street newspaper vendors would shout out the latest sensational news from hot-off-the-press special editions. The Fed is no different in that we want to shout out that it is no longer necessary to mine the PDF-based Federal Reserve Payments Study report to extract the study's data. For the first time, we are offering our entire aggregated data set of estimated noncash payments in an Excel file. The report accompanying the data is here.

The data set is very rich and covers the following categories:

Accounts and cards

Private-label credit processors

Checks

Person-to-person and money transfer

ACH

Online bill pay

Non-prepaid debit

Walk-in bill pay

General-purpose prepaid

Private-label ACH debit

Private-label prepaid issuers & processors

Online payment authentication

General-purpose credit

Mobile wallet

Private-label credit merchant issuers

Here is another table that is just one extract from the non-prepaid debit card portion of the extensive payments data available.

To get a taste of what this data can teach us, let's look closer at the cumulative volume distribution by payment dollar value threshold for non-prepaid debit cards (the data are shown above) along with general-purpose credit cards. The number and value of both types of payments grew substantially from 2012 to 2015, the last two survey periods. The chart compares these distributions, showing more vividly how this growth affected the relative proportions of payments of different dollar values.

For example, debit card payments below $25 accounted for 59.1 percent of all payments in 2012 versus 61.8 percent in 2015—evidence that debit card purchases are migrating to lower ticket amounts. The trend is even more dramatic over the same time span for general-purpose credit cards.

Because this is a distribution, increases in the relative number of small-value payments must be offset by decreases in the relative number of large-value payments. Unfortunately, our previous survey capped the payment threshold at $50 in 2012. Otherwise, we would see the dashed 2012 lines crossing over the solid 2015 lines at some payment value threshold above $50. In brief, the results suggest cash payments are continuing to migrate to debit cards, while credit cards may be garnering some share at the expense of both cash and debit cards.

The challenge is on for you data analysts out there. Please share your findings.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

June 19, 2017

Calculating Fraud: Part 2

Part 1 of this two-part series outlined an approach for whittling down credit card transactions to the value or number of authorized and settled payments as the denominator for calculating a fraud rate. This post reviews the elements needed to quantify the numerator.

To summarize from the previous post, when analyzing credit card fraud rates, you should consider what is being measured and compared. To calculate a fraud rate based on value or number, you need a fraud tally in the numerator and a comparison payment tally in the denominator. The formula works out as follows:

Fraud Rate = Numerator Denominator

Where, for any given period of time Numerator = Value, or number of fraudulent payments across the payments under consideration, Denominator = Value, or number of payments under consideration.

Before calculating the numerator value, you must first decide what types of fraud to include in the measurement. One stratification method divides fraud into the following two categories:

First-party payments fraud results when a dishonest but seemingly legitimate consumer exploits a merchant or financial institution (FI). That is, the legitimate cardholder authorizes a credit card transaction as part of a scam. One manifestation of this is "friendly fraud," whereby a consumer purchases items online and then falsely claims not to receive the merchandise.

Third-party payments fraud occurs when a legitimate cardholder does not authorize goods or services purchased with his or her credit card. Besides the victimized cardholder, the other two parties to the transaction are the fraudster and the unsuspecting merchant or FI.

Sometimes no clear delineation between first-party and third-party fraud exists. For example, a valid cardholder may authorize a payment in collusion with a merchant to commit fraud.

The 2016 Federal Reserve Payments Study used only third-party unauthorized transactions that were cleared and settled in tabulating fraud. The study measured and counted fraud as having occurred regardless of whether a subsequent recovery or chargeback occurred. Survey results had to be adjusted because some card networks report gross fraud while others report net fraud, after recoveries and chargebacks. Furthermore, the study made no effort to determine which party, if any, in the payment chain may ultimately bear the loss. Finally, the study did not measure attempted fraud.

Excluding first-party payments fraud The study excluded first-party fraud due to the greater ambiguity around identifying and measuring it along with the idea that it is difficult to eliminate, given that controls are relatively limited. One control option would be to place repeat offenders on a negative list that, unfortunately, might not be shared with other parties. As a result of excluding first-party fraud, the study focused on fraud specific to the characteristics of the payment instrument being used.

Paraphrasing from page 30 of the 2013 Federal Reserve Payments Study, first-party fraud, while important, is an account-relationship type of fraud and typically would not be included as unauthorized third-party payments fraud because the card or account holder is by definition authorized to make payments. Consequently, first-party fraud can occur no matter how secure the payment method.

As with tallying payments, you could follow a similar process for tallying fraudulent payments for other types of cards payments, with more questionnaire definitions and wording changes needed for other instruments such as ACH and checks.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

May 15, 2017

What Canada Knows That We Don't

In a previous post, I made reference to the pending release of a Bank of Canada study on the costs of point-of-sale payments in Canada. Last month, the study was released. This study covers cash as well as debit and credit card payments. It's a fascinating read that highlights what little comprehensive knowledge we have about comparable costs of payments in the United States.

The scope of the study was limited to the following parties in the payment chain:

Bank of Canada and Royal Canadian Mint (prints and distributes currency)

As background, the study categorizes costs of payments from the parties above into social (or resource) and private costs. Social costs include all internal and outsourced costs to parties outside the scope of the study. Excluded are transfer fees paid among parties within the scope of the study (for example, fees paid by retailers to FIs serving as card acquirers). This exclusion avoids overstating total social costs since fees paid to one party in the payments chain are revenue to another party in the payments chain. With this adjustment, aggregating social costs across all parties reflects the total resources expended for the entire country to facilitate payments. True or private costing from a particular party in the payment chain is simply the sum of its social costs plus any transfer fees paid to other parties within the scope of the study. Knowing private costs provides insight into which payment instruments are preferred from a costing perspective.

Here are some selected highlights from the study:

Total annual social costs clocked in at 15.3 billion (Can$), which comprises 0.78 percent of Canada's gross domestic product (GDP). In comparison, a paper from the Kansas City Fed highlights GDP figures ranging from 0.5 percent to 0.9 percent for other developed countries. Unfortunately, no comparable comprehensive study has been conducted in the United States. Using indirect approaches based on assumptions, some sources have estimated that the cost of the payments system in the United States could be as high as 2 percent of GDP. Unfortunately, we don't have any definitive sources on what the figure really is.

Below are the average social costs, transfer fees, and private costs (that is, sum of social costs and transfer fees) per transaction across the payment chain (in Can¢) by payment instrument.

We can see that transfer fees among the parties in the payments chain are relatively minimal for cash. Consumers proportionally pay higher transfer fees for debit card payments due to transaction fees paid to FIs. Transfer fees that retailers pay are proportionally high for debit cards and significantly higher for credit cards. Based on private costs alone, credit cards costs are less costly to consumers, while retailers incur the highest cost in accepting credit cards. These findings are generally consistent with studies conducted in other countries.

Lastly, the study further subdivides costs into fixed costs and variable costs based on the number of payments and by the value of payments. Along with the number and value of payments, costing components in Canadian dollars are itemized below:

Because of the central and significant role payments play in any economy, many current payments policy questions circulate around payments—in particular the costs associated with adopting and accepting various payment methods, fraud experience and prevention, and compliance with security standards and requirements. What are your views on the value of a comprehensive cost survey in this country?

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

January 9, 2017

The Year in Review

As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.

Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.

Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.

Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.

Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.

Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.

EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.

Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.

Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.

All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

As is common in other countries, card fraud can be categorized as follows across person-present and remote payment channels:

Counterfeit card: Fraud is perpetrated using an altered or cloned card.

Lost or stolen card: Fraud is undertaken using a lost or stolen card.

Card issued but not received: A newly issued card in transit to a card holder is intercepted and used to commit fraud.

Fraudulent application: A new card is issued based on a fake identity or on someone else's identity.

Other: "Other" fraud includes account takeover and other types of fraud not covered above.

Fraudulent use of account number: Fraud is perpetrated without using a physical card.

An extract from the fraud section of the IDR shows breakouts for card fraud by type across five countries.

As reflected in the numbers, the United States continues to be by roughly an order of magnitude a continuing and persistent target for card counterfeiters using stolen card data compared to other countries that have adopted much earlier counterfeiting controls using EMV (chip) cards. Use of chips makes in-person card fraud more difficult, because of built-in technology to thwart the creation of counterfeit chip cards. As adoption of chips for cards and terminals improves in the United States, fraud using stolen card data is likely to shift from person-present to remote channels as has already occurred in other developed countries. My colleague, Doug King, discusses these issues in detail in an interview conducted last year.

Look for other Take On Payments posts that highlight additional key findings from the 2016 payments study.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

June 13, 2016

What Is GPR Feeding On? Part 2 of 2

In part 1, I shared several studies on the appetite for general-purpose reloadable (GPR) prepaid cards. It turns out there is little public data covering the fraud portion of the industry. I look forward to results from the Federal Reserve's 2016 Payments Study, which added a number of questions related to GPR card fraud.

Last week, LexisNexis® released a fraud study titled Issuers Confront Application Fraud and Account Takeover in a Post-EMV U.S. The study reports that issuers annually lose $10.9 billion to card fraud overall, with 4 percent attributed to all types of prepaid cards (not just GPR), 25 percent to debit cards, and 71 percent to credit cards. The study examines what types of fraud schemes are responsible for losses, but the data is aggregated and not broken down by card type. We will look at these results and I will describe how fraudsters could use prepaid to perpetrate that type of fraud.

Lost/stolen cards: 28 percent of total card fraud

GPR card information can be lost or stolen in a variety of ways—as can happen with all payment card instruments. When the fraudster acquires the account numbers, he or she can then sell, clone, or counterfeit new cards to make fraudulent purchases. The most common schemes include:

Skimming magnetic stripes via compromised ATM or POS terminals

Cyberattacks/data breaches

Simply lost or stolen cards

"Lost or stolen" also include information obtained from extortion by coercive measures and deceptive marketing. Fraudsters trick consumers into loading funds on a prepaid card and then handing over the account information. Some prepaid issuers have included warnings about this type of crime on their packaging. Some recent schemes include:

Pretending to represent a creditor or utility and convincing victims they are overdue on bills and must immediately make a payment using a prepaid card

Money-winning schemes (I always win cruises) whereby a consumer must pay taxes on the winnings with a prepaid card

Account takeover: 20 percent

These schemes typically involve business bank accounts. However, a blog by Kreb’s on Security describes a well-known case involving prepaid. Cybercriminals allegedly breached a number of payment processors over a two-year period. They acquired account information and changed account balances and daily withdrawal limits. The criminals then used the breached payment card information to clone cards to use at ATMs all over the world and withdrew nearly $55 million in cash.

Application fraud: 20 percent

Ultimately, this scheme involves the criminal opening a GPR account under a stolen or false ID, using stolen funds to open the account. Schemes that fit into this category are:

Buying prepaid cards with stolen or counterfeit cards, a growing scheme that essentially creates free money out of stolen funds

Counterfeit cards: 16 percent

Counterfeiting usually occurs in conjunction with other fraud schemes. Counterfeit cards (and even lost or stolen cards) can be sold, often at a discount to the purchaser, potentially making their way into the hands of law-abiding citizens through wholesale websites.

Maybe fraudsters stock their pantry with prepaid cards, but are these common schemes unique to GPR cards or prepaid accounts? Although it's easier to open a prepaid account with little direct human contact, couldn't we substitute debit card or credit line accounts in any of these fraud schemes? Every type of monetary instrument experiences fraud but the prepaid industry has worked diligently to address these common areas. The vast majority of prepaid customers are legitimate users that have chosen this type of product for economic or payment preference reasons.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

May 23, 2016

What Would Happen If the Lights Went Out for a Long, Long Time?

In 1859, a massive geomagnetic solar storm known as the Carrington Event caused extensive damage to telegraph systems and other nascent electrical devices worldwide. Telegraph lines sparked and telegraph operators could send and receive messages without the use of electric batteries. The Northern Lights lit up the sky in all of North America. Though not widely reported, on July 23, 2012 a massive cloud of solar material similar in magnitude to the Carrington storm erupted off the sun's surface, radiating out at 7.5 million miles per hour. Fortunately the impact of the solar storm missed Earth by nine days because of the Earth's orbit position.

One report estimates that a Carrington-level storm today could result in power outages affecting as many as 20–40 million Americans for a duration ranging from 16 days to two years at an economic cost of up to 2.5 trillion dollars. A research paper in Space Weather estimated the odds of a Carrington-level storm at about 12 percent over the next 10 years. Early warning of such a storm is possible since satellites can detect impending storms and have the potential to provide a minimum one-day warning before it hits Earth.

So what would happen if the lights went out in much of the United States because of such a cataclysmic event? One could anticipate serious disruption of electronic payments such as ACH, cards, and wire transfers in the affected areas and beyond. What would one do to facilitate commerce in such an emergency? Well, cash and, to a lesser degree, checks could come to the fore. Use of checks would be problematic given the electronification of checks, high risk of fraud, and overdrawn accounts if banking systems are not up and running. Cash would have fewer problems if it were on hand to distribute to the affected population. Perhaps cash accompanied by ration books could be used to mitigate hoarding.

For a low-probability extreme-impact event that results in cash becoming the only way, among existing payment instruments, for commerce to take place, what contingency plans are in place to ensure that consumers and businesses can obtain cash? Since the contingency systems we have in place to handle a future Hurricane Katrina or Hurricane Sandy are likely not sufficient for an extreme event of nationwide scale, some of the issues that need to be resolved include:

How does one ensure that sufficient cash is on hand during an emergency?

How is cash going to be distributed and accounted for along the supply chain with ATMs and bank offices and their core systems inoperable due to no electricity?

Addressing these questions and others involves a monumental effort, and I don't have a ready answer. Fortunately, cash solves the problem for small-scale, low-value payments during a long-term power outage. That is, during the immediate, in-person exchange, it is an instrument that doesn't require electricity, communication networks, or computers.

This and other major calamities have always made me concerned about the push in some quarters for a full transition to electronic payments at the expense of payments less reliant on electricity and our communication networks. As an engineer by training, it is in my nature to wonder what can go awry if failsafe systems aren't in place when the unexpected happens.

With the possibility of a catastrophic event in our lifetime, would you rather have cash in hand or a card/mobile app? As for me, I'm going to the bank to cash out my accounts and then on to the hardware store to buy a gas-powered electric generator. Just kidding, though I think serious consideration and appreciation is needed for the contingency aspects of cash when things invariably go awry.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

March 7, 2016

Card Chargebacks: Sorting Out the Facts

For years, I have heard conflicting statements by card issuers and acquiring merchants about the impact of chargebacks on their businesses. A chargeback is a demand by a card issuer for a merchant to make the issuer whole for the loss of a disputed transaction by a cardholder. Because of consumer liability protections afforded under various regulations and the card brand's liability rules, the issuer or the merchant typically incurs the final loss. The issuer initiates a chargeback when a cardholder disputes a transaction on the statement—for one of a variety of reasons—if the issuer believes the merchant is financially liable under the particular card network's operating rules. Merchants may accept the chargeback and assume the loss, or they may dispute it if they believe they were in compliance with the network rules.

The debate over the amount of chargeback losses to merchants has continued over the years because of a lack of independent research, but all that has changed with a study published in January by my colleagues at the Federal Reserve Bank of Kansas City. Senior economists Fumiko Hayashi and Rick Sullivan along with risk specialist Zach Markiewicz examined chargeback and sales data from October 2013 through September 2014 from selected merchant acquirers who process more than 20 percent of network-branded card transactions in the United States. While the study examines the full chargeback landscape of four-party networks (Visa and MasterCard) and three-party networks (American Express and Discover), the focus of this post is on their findings related to card fraud—both card present (CP) and card not present (CNP)—for the four-party networks. PIN debit transaction chargebacks were not included in this study.

Some of the study's key findings are:

Overall, merchants incur 70–80 percent of all chargeback losses.

Fraud is the most common chargeback reason and accounts for approximately 50 percent of total chargebacks in value.

The average value of a fraud chargeback was $200, compared to $56 for the average sales transaction. Clearly, the criminals are going after higher-dollar value goods.

The merchant loss rate in the CNP channel of 14.17 basis points (bps) is significantly higher than the 1.02 bps loss rate for the CP channel.

As the chart shows, the merchant categories incurring the highest fraud rates were the travel and department store categories. Grocery stores had the lowest.

As previous posts have noted, the Federal Reserve is making a concerted effort to collect fraud data for non-cash payment channels to develop a holistic view and understanding of fraud trends. The Kansas City Fed is looking to repeat its study in the near future, when it will also include PIN debit transaction chargebacks. As our payments system evolves and user payment preferences change, it is vital for payments system stakeholders to be able to determine how these changes are affecting fraud losses being sustained by the various stakeholders.

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

December 7, 2015

Inquiring Minds Want to Know More about Card Fraud

As I described in an earlier post, while doing research on expanding card fraud data collection in the Fed's upcoming 2016 triennial payments study, I came across a gap in publicly available detailed fraud data for the United States compared to what is available in other countries. Fortunately, prospective survey instruments accompanying the Federal Reserve Payments Study posted in the Federal Register for the upcoming study promise to remedy the problem. In particular, the Networks, Processors and Issuers Payments Surveys lists the following fraud classifications; I've included capsule descriptions for each.

Lost card: Fraudulent payments result from the use of a lost card.

Stolen card: Fraudulent payments result from the use of a stolen card.

Card issued but not received: Fraudulent payments result from use of an intercepted new or replacement card in transit to a card holder.

Fraudulent application: Fraudulent payments result from a new card that is issued based on a falsified or stolen identity.

Counterfeit card: Fraud is perpetrated at the point of sale by someone using an altered or cloned card based on card account details fraudulently obtained.

Other (including account takeover): All other fraud not covered above. In particular, "other" covers a form of identity theft whereby an unauthorized party gains access to and use of an existing card account.

The last triennial payments study (2013) used a bifurcated classification, distinguishing only card-present and card-not-present fraud across various card payment types. If in its place we used a more detailed classification system, it could offer a richer understanding about whether fraud was perpetrated by gaining possession of an existing card, through a data breach, or through identity theft.

But even this level of specificity may not be enough. If we were to use only the detailed classifications I provide above to map card-present and card-not-present fraud data, we still might assume that card-present fraud encompasses all fraud except for fraudulent use of account number. So by extension, what is excluded must represent card-not-present fraud, right?

But we should not be so hasty in making such assumptions.

The rub is that how each fraudulent payment is classified can depend on the case management system the issuing bank uses. For example, suppose that the skimming of a card results in the rightful card holder reporting 10 fraudulent payments. Two payments are made at the point of sale and the other eight payments are made online. Using the definitions above, some case management systems would treat all of the payments as counterfeit card while other systems may flag two as counterfeit card and the others as fraudulent use of account number. Flagging all 10 of the payments as counterfeit card would lead to overstating the number of overall card-present fraud payments at the expense of understating card-not-present fraud. Without additional detail on where the payments were initiated, we would be uncertain about the shares of card-present and card-not-present fraud.

So given the tradeoffs and trying to anticipate fraud reporting needs in the future, would it not be better to retain and possibly improve existing measurements of fraud while offering other complementary measurements to fill in the gaps? Making this more concrete, I proffer that we should be interested in the distribution of how the card or card information was obtained using the categories above as well as how the fraud was perpetrated by card entry mode and card verification methods. Being specific on the latter, we could report on fraud based on chip versus nonchip cards, point-of-sale payment versus remote payment, signature versus PIN authentication methods, and so forth. In fact, a closer review of the updated survey instruments for 2016 reveals that both survey approaches are in fact what is used.

What suggestions do you have for classifying card fraud data? All comers are encouraged to respond to the Federal Register Notice.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.